Three Party Authentication

US 20080235513A1
Filed: 03/19/2007
Published: 09/25/2008
Est. Priority Date: 03/19/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method of using a trust provider to provide identity confirmation for a client device and a server device comprising:

booting the client device from a secure module installed in the client device, the secure module having a secure memory storing a boot program used for the booting and a cryptographic secret shared between the client device and the trust provider;

connecting the server device to the trust provider;

establishing a network connection between the client and server devices;

generating a token comprising a nonce, the token encrypted using the cryptographic secret shared with the trust provider;

passing the token from the client device to the server device;

passing the token from the server device to the trust provider;

decrypting the token at the trust provider to verify an identity of the client device;

passing a response token from the trust provider to the server device, the response token including a verification of the identity of the client device;

passing at least a portion of the response token from the server device to the client device, the at least a portion of the response token including the nonce;

verifying the nonce at the client device as a confirmation of a trusted relationship between the server device and the trust provider and confirmation of the server device'"'"'s authenticity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trust provider uses established relationships with a client device and a server of an e-commerce merchant or service provider to assure the identity of each to the other. The e-commerce merchant can request an encrypted token from the client. The client may use a trust-provider key to generate the encrypted token. The server then passes the token to the trust provider, who only accepts tokens from known, authenticated entities. The trust provider then verifies the token and returns a response to the server. The response may include a client verification for use by the server and an encrypted server verification that is forwarded by the server to the client. In this fashion, both the server and client may be authenticated without prior knowledge of each other.

79 Citations

View as Search Results

20 Claims

1. A method of using a trust provider to provide identity confirmation for a client device and a server device comprising:
- booting the client device from a secure module installed in the client device, the secure module having a secure memory storing a boot program used for the booting and a cryptographic secret shared between the client device and the trust provider;
  
  connecting the server device to the trust provider;
  
  establishing a network connection between the client and server devices;
  
  generating a token comprising a nonce, the token encrypted using the cryptographic secret shared with the trust provider;
  
  passing the token from the client device to the server device;
  
  passing the token from the server device to the trust provider;
  
  decrypting the token at the trust provider to verify an identity of the client device;
  
  passing a response token from the trust provider to the server device, the response token including a verification of the identity of the client device;
  
  passing at least a portion of the response token from the server device to the client device, the at least a portion of the response token including the nonce;
  
  verifying the nonce at the client device as a confirmation of a trusted relationship between the server device and the trust provider and confirmation of the server device'"'"'s authenticity.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein passing the response token from the trust provider to the server device comprises encrypting the at least a portion of the response token including the nonce with the cryptographic secret shared between the client device and the trust provider.
  - 3. The method of claim 2, wherein verifying the nonce at the client device comprises decrypting the at least a portion of the response token using the cryptographic secret shared between the client device and the trust provider.
  - 4. The method of claim 1, further comprising requesting the token from the client device.
  - 6. The method of claim 1, wherein establishing the network connection between the client and server devices comprises establishing a secure socket level (SSL) connection having an encrypted channel using mutually derived session keys at the client and server devices.
  - 7. The method of claim 1, wherein connecting the server device to the trust provider comprises connecting the server device to the trust provider over a secure connection with mutual authentication.
  - 8. The method of claim 1, further comprising encrypting a first portion of the response token that includes the nonce using the cryptographic secret shared between the client and the trust provider and encrypting a second portion of the response token using a second cryptographic secret shared between the trust provider and the server device.
  - 9. The method of claim 1, further comprising verifying the identity of the client device at the server device by examining the verification of the identity of the client device included in the response token.
  - 10. The method of claim 1, further comprising the client device paying the trust provider for the identity confirmation using a stored value account at the client device.

11. An electronic device arranged and adapted for use in an electronic commerce (e-commerce) environment comprising:
- a memory;
  
  a communication device for two way data transmission;
  
  a main processor coupled to the memory and the communication device; and
  
  a security module comprising;
  
  a secure memory storing cryptographic keys associated with a trust provider;
  
  a random number generator for generating a nonce;
  
  a second processor coupled to the secure memory and the random number generator; and
  
  a computer-readable medium having computer-executable instructions comprising;
  
  an encryption module that generates a challenge incorporating the nonce and encrypts the challenge using a key associated with one of the cryptographic keys associated with the trust provider, whereby the encrypted challenge is sent to the trust provider via an e-commerce partner coupled through the communication device.
- View Dependent Claims (12, 13, 14)
- - 12. The electronic device of claim 11, wherein the computer-readable medium has computer-executable instructions further comprising a decryption module for decrypting an encrypted response to the challenge, the encrypted response generated at the trust provider and received from the e-commerce partner over the communication device.
  - 13. The electronic device of claim 12, wherein the computer-readable medium has computer-executable instructions further comprising a verification module for establishing trust with the e-commerce partner when the decrypted response to the challenge matches at least the nonce.
  - 14. The electronic device of claim 11, wherein the secure module comprises a tamper-resistant clock used to generate the challenge and a secure memory storing at least one basic input/output system (BIOS).

15. A method of validating e-commerce participants at a trust entity comprising:
- establishing a mutually authenticated, secure connection between the trust entity and a provider of e-commerce;
  
  receiving from the provider a challenge sent from a client device connected to the provider;
  
  verifying the challenge; and
  
  sending a first confirmation to the provider of the client'"'"'s identity and a second confirmation to the client for use in establishing trust between the client device and the provider.
- View Dependent Claims (5, 16, 17, 18, 19, 20)
- - 5. The method of claim 17 wherein the cryptographic secret shared with the trust provider is a derived symmetric key cryptographic secret shared with the trust provider.
  - 16. The method of claim 15, wherein verifying the challenge comprises decrypting the challenge using a key based on a secret shared between the client device and the trust entity.
  - 17. The method of claim 15, further comprising generating a response to the challenge comprising:
    - generating the first confirmation for use by the provider to confirm the identity of the client device; and
      
      generating the second confirmation for use by the client device to confirm receipt of the challenge by the trust entity.
  - 18. The method of claim 17, wherein generating the second confirmation comprises generating the second confirmation and encrypting the second confirmation with a key based on a secret shared between the client device and the trust entity.
  - 19. The method of claim 17, wherein generating the first confirmation comprises generating the first confirmation and encrypting the second confirmation with a key based on a secret shared between the provider and the trust entity.
  - 20. The method of claim 15, wherein sending the first and second confirmation comprises combining the first and second confirmation into a combined confirmation and sending the combined confirmation to the provider, wherein the provider forwards the second confirmation to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Foster, David James, Duffus, James S., Phillips, Thomas G., Sebesta, David Jaroslav

Application Number

US11/687,966
Publication Number

US 20080235513A1
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/33   using certificates

G06F 21/445   by mutual authentication, e...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/126   the source of the received ...

H04L 9/0869   involving random numbers or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3273   for mutual authentication n...

Three Party Authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Three Party Authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others